KSI-AFR-CCM—Collaborative Continuous Monitoring
Formerly KSI-AFR-06
>Control Description
>FRMR Requirements27
Normative requirements from the FedRAMP Requirements and Recommendations document — 14 mandatory, 8 recommended, 5 optional.
Report Availability
Providers MUST make an Ongoing Authorization Report available to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:
- Changes to authorization data
- Planned changes to authorization data during at least the next 3 months
- Accepted vulnerabilities
- Transformative changes
- Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering
Next Report Date
Providers MUST publicly include the target date for their next Ongoing Authorization Report with other public authorization data.
Feedback Mechanism
Providers MUST establish and share an asynchronous mechanism for all necessary parties to provide feedback or ask questions about each Ongoing Authorization Report.
Anonymized Feedback Summary
Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each Ongoing Authorization Report as an addendum to the Ongoing Authorization Report.
Limit Sensitive Information
Providers MUST NOT irresponsibly disclose sensitive information in an Ongoing Authorization Report that would likely have an adverse effect on the cloud service offering.
Quarterly Review Meeting
Providers MUST host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies.
Meeting Registration Info
Providers MUST include either a registration link or a downloadable calendar file with meeting information for Quarterly Reviews in the authorization data available to all necessary parties required by ADS-CSL-UCP and ADS-CSO-FCT.
Next Review Date
Providers MUST publicly include the target date for their next Quarterly Review with other public authorization data.
No Irresponsible Disclosure
Providers MUST NOT irresponsibly disclose sensitive information in a Quarterly Review that would likely have an adverse effect on the cloud service offering.
Review Ongoing Reports
Agencies MUST review each Ongoing Authorization Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary.
Notify FedRAMP of Concerns
Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to stop operation of the cloud service offering.
Notify FedRAMP After Requests
Agencies MUST notify FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending an email to info@fedramp.gov.
No Additional Requirements
Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about authorization data.
Implementation Summaries
Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:
- Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability
- The consolidated _information resources_ that will be validated (this should include consolidated summaries such as "all employees with privileged access that are members of the Admin group")
- The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
- The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
- Current implementation status
- Any clarifications or responses to the assessment summary
Spread Out Reports
Providers SHOULD establish a regular 3 month cycle for Ongoing Authorization Reports that is spread out from the beginning, middle, or end of each quarter.
Schedule Around Reports
Providers SHOULD regularly schedule Quarterly Reviews to occur at least 3 business days after releasing an Ongoing Authorization Report AND within 10 business days of such release.
Additional Content
Providers SHOULD include additional information in Quarterly Reviews that the provider determines is of interest, use, or otherwise relevant to agencies.
Record/Transcribe Reviews
Providers SHOULD record or transcribe Quarterly Reviews and make such available to all necessary parties with other authorization data.
Restrict Third Parties
Providers SHOULD NOT invite third parties to attend Quarterly Reviews intended for agencies unless they have specific relevance.
Consider Security Category
Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Authorization Reports, attending Quarterly Reviews, and other ongoing authorization data.
Notify Provider of Concerns
Agencies SHOULD formally notify the provider if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to remove the cloud service offering from operation.
Application within MAS
Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.
5 optional guidance (MAY)
Responsible Public Sharing
Providers MAY responsibly share some or all of the information an Ongoing Authorization Report publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.
Share Recordings Responsibly
Providers MAY responsibly share recordings or transcriptions of Quarterly Reviews with the public or other parties ONLY if the provider removes all agency information (comments, questions, names, etc.) AND determines sharing will NOT likely have an adverse effect on the cloud service offering.
Share Content Responsibly
Providers MAY responsibly share content prepared for a Quarterly Review with the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.
Senior Security Reviewer
Agencies MAY designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High.
AFR Order of Criticality
Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:
- Minimum Assessment Scope (MAS)
- Authorization Data Sharing (ADS)
- Using Cryptographic Modules (UCM)
- Vulnerability Detection and Response (VDR)
- Significant Change Notifications (SCN)
- Persistent Validation and Assessment (PVA)
- Secure Configuration Guide (RSC)
- Collaborative Continuous Monitoring (CCM)
- FedRAMP Security Inbox (FSI)
- Incident Communications Procedures (ICP)
>Trust Center Components4
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express ConMon posture through automated pipelines — scan results streamed to dashboards, POA&Ms tracked as code in issue trackers, and deviation alerts triggering automated notifications. Per ADS-CSO-CBF, automation must ensure consistency between human-readable and machine-readable formats, making monthly PDF reports an artifact of the pipeline, not the source of truth.
Continuous Monitoring Dashboard
Dashboard expressing ConMon posture — scan results, POA&M status, and deviation alerts shared with agencies as a living view rather than periodic snapshots
ConMon Automation Pipeline
How automated evidence collection feeds ConMon reporting — scan orchestration, POA&M tracking, and report generation without manual intervention
Monthly ConMon Report Archive
Historical archive of ConMon reports — generated from automated pipelines rather than manually assembled
Continuous Monitoring Plan
Human-readable ConMon plan describing monitoring cadence, tools, and reporting procedures — the intent behind automated implementation
>Programmatic Queries
CLI Commands
aws configservice get-compliance-summary-by-config-rule --output tableaws configservice describe-configuration-recorders --query "ConfigurationRecorders[].{Name:name,RoleARN:roleARN,AllSupported:recordingGroup.allSupported}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your CCM plan cover every KSI and all in-scope system components, or are there gaps in what is continuously monitored?
- •How do you ensure quarterly reviews address findings from all leveraging agencies, not just a subset?
- •When a new service component is added to the authorization boundary, what process ensures it is folded into continuous monitoring?
- •Are there any security controls or KSIs excluded from ongoing authorization reporting, and if so, how is the exclusion justified?
Automation & Validation:
- •What happens if your automated continuous monitoring pipeline fails to collect data from a source — how is the gap detected?
- •How do you validate that aggregated security metrics in ongoing authorization reports are accurate and not masking underlying issues?
- •What automated tests confirm your quarterly review data reflects the real-time state of your environment?
- •If a monitoring agent or integration goes offline, what alerting mechanism fires and within what timeframe?
Inventory & Integration:
- •What tools feed into your continuous monitoring program (vulnerability scanners, CSPM, SIEM, EDR), and how do you ensure all are reporting?
- •How does your continuous monitoring data integrate with the FedRAMP CCM reporting mechanism or portal?
- •Are any monitoring data points collected manually rather than from automated tool integrations, and how do you track their freshness?
- •How do you reconcile asset inventories across monitoring tools to confirm every in-scope resource is covered?
Continuous Evidence & Schedules:
- •What is the exact cadence for ongoing authorization reports and quarterly reviews, and how do you prove you have met every deadline?
- •Is your continuous monitoring evidence available via API for FedRAMP or agency consumption, or only as periodic document exports?
- •How do you detect drift between your reported security posture and actual system state between quarterly review cycles?
- •What evidence demonstrates remediation actions from past quarterly reviews were completed on schedule?
Update History
Ask AI
Configure your API key to use AI features.